Monday, 19 October 2009

Checkpoint Traffic Sniffing

There are a couple of handy commands for sniffing traffic on Checkpoint.

Tcpdump and fw monitor.


The following runs a tcpdump capture on IPSO, snagging the entire packet to a file:
tcpdump -s1700 -w output.cap -ni <interface> host <IP-addr>

Without the -s1700 it'll just grab the first part of each packet and not the full contents. If you're running it on a newer platform (e.g. SPLAT) then you can probably use -s0 instead, it's to specify the size of the packets that are recorded.

The problem with tcpdump is that running it on a device designed to filter traffic means you may not be seeing exactly what you expect. So it's probably better to use "fw monitor", the Checkpoint tool that lets you specify exactly where in the stack you are sniffing packets from.

The official guide is here.

Not much more to say about it except to give a simple example for reference:
fw monitor -e 'accept src=<src-ip> or dst=<dst-ip>;'

Just remember to terminate each line with a semi-colon.